The comeback of QR code scams

 

In the last few years, QR codes have become ubiquitous. They let us read menus in restaurants, lead us to websites for further information on any given subject, allow us to pay for any purchase in seconds, and -  in the wrong hands - steal our vulnerable personal and financial data.

 

Read on to discover all about QR code scams and how to avoid them!

 

 

What are QR codes?

Introduced in 1994 in Japan, Quick Response (QR) codes were originally invented to track vehicle parts and finished products in an automobile factory. The aim was to create a two-dimensional code with a larger data storage capacity and faster readability than the traditional barcodes.

 

Soon, other industries adopted QR codes, but the real turning point came in the early twenty-first century with the appearance of smartphones. Suddenly, QR codes were adapted into customer-facing applications in various industries. Another major stepping stone was the 2020s, during which the COVID pandemic highlighted the need for touchless payments and information sharing more than ever.

 

Nowadays, smartphone users can even generate their own QR codes for various purposes, including sharing restaurant menus, sending packages, or receiving payments.

 

 

An illustration of several QR codes displayed in various colors, prompting users to scan them

 

 

Within seconds, QR code readers can decode the encrypted information in the pattern and immediately follow the action the code prompts them to. This can be accessing a website, displaying an address, or wiring money. Fast and automatic action - no wonder QR codes are popular all over the world.

 

However, there’s a serious security issue.

 

Just like barcodes, human eyes alone are unable to decode the encrypted message in QR codes. However, unlike barcodes, QR codes not only store information but also prompt an immediate action to occur, which is precisely why users like them so much. Including fraudsters. So much so that a new term was coined to refer to malicious cyberattacks conducted via QR codes: quishing.

 

 

How quishing attacks work

Quishing attacks usually occur when unsuspecting users are prompted to read a malicious QR code with their smartphones. This can happen in a wide variety of scenarios. Fraudsters may send the codes in phishing emails or text messages, implying that the code leads to a legitimate website, like a post, a restaurant, a bank, a charity, etc.

 

|Quishing attacks occur when unsuspecting users are prompted to read a malicious QR code with their smartphones

 

Others distribute flyers or direct mail advertising fake services, complete with fraudulent QR codes. Some fraudsters even go as far as sticking their malicious codes over legitimate codes of trusted providers, e.g., public transport, an event poster, or even a parking meter.

 

The code then prompts users to visit a fraudulent website, a fake payment page, or download malicious software. As the action is carried out automatically, and in many cases, users only need to hold their device in front of their face for the payment/download to go through, which means that people don’t even get a chance to think twice about what they’re doing.

 

Since QR codes are widely used in all areas of life, businesses and consumers are equally targeted by and vulnerable to quishing.

 

 

Related topics

Trending scams and fraud

 

Most common e-Commerce fraud trends to watch this 2025 holiday season

 

 

How to spot malicious QR codes

As mentioned earlier, QR codes are unreadable by human eyes, preventing people from noticing the scam. What’s even more troubling is that the usual security systems (e.g., firewalls, antivirus software) are also unable to detect them, as QR codes don’t contain traditionally clickable links for these systems to follow and examine.

 

This means that users have to be extra cautious before using any QR code. Luckily, there are a few tips you can keep in mind to protect yourself.

 

1. Be wary of QR codes from unexpected sources. Did you get a surprise package? A flier appeared in your mailbox with an enticing offer? An interesting sticker catches your eye while you wait for the bus? Don’t scan their QR codes, because they are very likely to lead you to websites you don’t want to visit.
   
   
2. Check the appearance of QR codes in trusted locations. If a code is much newer than the restaurant menu itself, or slightly misaligned to the rest of the content, ask the staff, or visit their website manually instead of reading the code with your device.
   
   
3. On fliers and product catalogues, check for suspicious wording. Anything that urges you to act quickly and automatically is a cause for concern, including terms like "scan now or lose access," "huge discount for one day only," or "act now to prevent your account from being locked."
   
   
4. If you ended up scanning the code, check the URL of the website you landed on (in some cases, your smartphone even displays the URL before leading you to it). Is it really the genuine site of the brand? Look for shortened URLs, misspellings, or domain names that don’t match the brand. Also, think carefully about the data that you’re being asked to share. Is it reasonable, or too excessive for the actual purpose?

 

Discover how to identify a fake webshop!

 

 

How to make QR codes safer

Despite these dangers, it’s quite unlikely that QR codes would be scrapped from daily use. They’re too effective for that. However, certain measures need to be taken to ensure their users’ safety.

 

 

An illustration of the safety of QR codes, displaying a smartphone with a lock next to a QR code

 

 

Apps reading QR codes should have a built-in verification system to ensure that the URLs they’re leading their users to aren’t malicious. Default protection on messaging and email systems should include detecting fraudulent QR codes, despite the lack of clickable links in the code.

 

Organizations using QR codes should periodically check if their codes distributed on physical media haven’t been tampered with. In addition, user education about quishing is very important for both businesses and consumers.

 

 

QR codes and online brand protection

If your brand uses QR codes to connect with your customers, you’re also vulnerable to quishing, as fraudsters get to your customers’ sensitive data by hijacking your brand’s touchpoints, damaging your reputation and bottom line in the process.

 

As mentioned earlier, human eyes can’t verify the authenticity of a QR code, and since many smart devices are less protected from malicious sites than desktop computers, fake QR codes can easily lead to fraudulent websites that impersonate your brand.

 

This is why you need a strong and resourceful online monitoring service to check for content that uses fake QR codes. This can include product listings, images, social media posts, ads, single webshops, domains, and many more. globaleyez’s versatile and flexible services detect any kind of fraudulent content that infringes on your IP rights and harms your brand.

 

Keeping your QR codes safe includes regularly checking whether they’ve been tampered with, and educating your employees as well as your customers about the dangers of quishing.

 

 

Conclusion

While QR codes are definitely useful, they also bring along a certain amount of danger that brands and consumers need to be aware of. Don’t let a fraudulent QR code damage your brand’s reputation!

 

Contact us and let’s discuss how to keep your brand and your customers safe from quishing.